Message ID | BANLkTimD+fvhrhpc+kPXt1qMnQvVi2dw=Q@mail.gmail.com |
---|---|
State | RFC, archived |
Delegated to: | David Miller |
Headers | show |
On Sat, Jun 25, 2011 at 12:33:05AM +0100, Nick Carter wrote: > @@ -98,6 +98,14 @@ int br_handle_frame_finish(struct sk_buff *skb) > } > > if (skb) { > + /* Prevent Crosstalk where a Supplicant on one Port attempts to > + * interfere with authentications occurring on another Port. > + * (IEEE Std 802.1X-2001 C.3.3) > + */ > + if (unlikely(!br->pae_forward && > + skb->protocol == htons(ETH_P_PAE))) > + goto drop; > + > if (dst) > br_forward(dst->dst, skb, skb2); > else > @@ -166,6 +174,10 @@ struct sk_buff *br_handle_frame(struct sk_buff *skb) > if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) > goto forward; > > + /* Check if PAE frame should be forwarded */ > + if (p->br->pae_forward && skb->protocol == htons(ETH_P_PAE)) > + goto forward; > + > if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, > NULL, br_handle_local_finish)) > return NULL; /* frame consumed by filter */ No, please don't. Linux bridging has two "grand" modes: dumb and STP enabled. If we're running a dumb bridge, we behave like an ethernet hub without any intelligence, and in that case we should absolutely forward 802.1X frames. We may have (e.g. VM) client(s) that want to authenticate with a physical switch. (For the spec, this counts as "repeater", not "bridge"/"switch") If we're running with STP enabled, then 802.1X traffic should already be caught by the general ethernet link-local multicast drop (which applies to 01:80:c2:/24 and therefore catches 802.1X too.) -David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, 28 Jun 2011 17:02:57 +0200 David Lamparter <equinox@diac24.net> wrote: > On Sat, Jun 25, 2011 at 12:33:05AM +0100, Nick Carter wrote: > > @@ -98,6 +98,14 @@ int br_handle_frame_finish(struct sk_buff *skb) > > } > > > > if (skb) { > > + /* Prevent Crosstalk where a Supplicant on one Port attempts to > > + * interfere with authentications occurring on another Port. > > + * (IEEE Std 802.1X-2001 C.3.3) > > + */ > > + if (unlikely(!br->pae_forward && > > + skb->protocol == htons(ETH_P_PAE))) > > + goto drop; > > + > > if (dst) > > br_forward(dst->dst, skb, skb2); > > else > > @@ -166,6 +174,10 @@ struct sk_buff *br_handle_frame(struct sk_buff *skb) > > if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) > > goto forward; > > > > + /* Check if PAE frame should be forwarded */ > > + if (p->br->pae_forward && skb->protocol == htons(ETH_P_PAE)) > > + goto forward; > > + > > if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, > > NULL, br_handle_local_finish)) > > return NULL; /* frame consumed by filter */ > > No, please don't. > > Linux bridging has two "grand" modes: dumb and STP enabled. > > If we're running a dumb bridge, we behave like an ethernet hub without > any intelligence, and in that case we should absolutely forward 802.1X > frames. We may have (e.g. VM) client(s) that want to authenticate with a > physical switch. > (For the spec, this counts as "repeater", not "bridge"/"switch") > > If we're running with STP enabled, then 802.1X traffic should already be > caught by the general ethernet link-local multicast drop (which applies > to 01:80:c2:/24 and therefore catches 802.1X too.) The problem is that STP is not enabled by default, and most people don't know how to enable it. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Tue, Jun 28, 2011 at 08:10:15AM -0700, Stephen Hemminger wrote: > On Tue, 28 Jun 2011 17:02:57 +0200 > David Lamparter <equinox@diac24.net> wrote: > > > if (skb) { > > > + /* Prevent Crosstalk where a Supplicant on one Port attempts to > > > + * interfere with authentications occurring on another Port. > > > + * (IEEE Std 802.1X-2001 C.3.3) > > > + */ > > > + if (unlikely(!br->pae_forward && > > > + skb->protocol == htons(ETH_P_PAE))) > > > > No, please don't. > > > > Linux bridging has two "grand" modes: dumb and STP enabled. > > > > If we're running a dumb bridge, we behave like an ethernet hub without > > any intelligence, and in that case we should absolutely forward 802.1X > > frames. We may have (e.g. VM) client(s) that want to authenticate with a > > physical switch. > > (For the spec, this counts as "repeater", not "bridge"/"switch") > > > > If we're running with STP enabled, then 802.1X traffic should already be > > caught by the general ethernet link-local multicast drop (which applies > > to 01:80:c2:/24 and therefore catches 802.1X too.) > > The problem is that STP is not enabled by default, and most people don't > know how to enable it. Yes, the default is a dumb hub (IMHO correctly so). And a dumb hub will forward 802.1X packets (IMHO also correctly so). Why should we specifically add a knob for EAPOL? Next we're adding one for STP itself, then one for LLDP, then one for Cisco's deprecated crap (CDP, DTP, ...) etc. If you want a dumb hub that drops EAPOL, use ebtables. -David -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/bridge/br_if.c b/net/bridge/br_if.c index d9d1e2b..a401ed4 100644 --- a/net/bridge/br_if.c +++ b/net/bridge/br_if.c @@ -214,6 +214,7 @@ static struct net_device *new_bridge_dev(struct net *net, const char *name) br->topology_change = 0; br->topology_change_detected = 0; br->ageing_time = 300 * HZ; + br->pae_forward = false; br_netfilter_rtable_init(br); diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c index 90e985b..79b03fa 100644 --- a/net/bridge/br_input.c +++ b/net/bridge/br_input.c @@ -98,6 +98,14 @@ int br_handle_frame_finish(struct sk_buff *skb) } if (skb) { + /* Prevent Crosstalk where a Supplicant on one Port attempts to + * interfere with authentications occurring on another Port. + * (IEEE Std 802.1X-2001 C.3.3) + */ + if (unlikely(!br->pae_forward && + skb->protocol == htons(ETH_P_PAE))) + goto drop; + if (dst) br_forward(dst->dst, skb, skb2); else @@ -166,6 +174,10 @@ struct sk_buff *br_handle_frame(struct sk_buff *skb) if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0) goto forward; + /* Check if PAE frame should be forwarded */ + if (p->br->pae_forward && skb->protocol == htons(ETH_P_PAE)) + goto forward; + if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev, NULL, br_handle_local_finish)) return NULL; /* frame consumed by filter */ diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h index 4e1b620..8977d66 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -244,6 +244,8 @@ struct net_bridge struct timer_list multicast_query_timer; #endif + bool pae_forward; /* 802.1x frames forwarded / dropped */ + struct timer_list hello_timer; struct timer_list tcn_timer; struct timer_list topology_change_timer; diff --git a/net/bridge/br_sysfs_br.c b/net/bridge/br_sysfs_br.c index 5c1e555..de3550f 100644 --- a/net/bridge/br_sysfs_br.c +++ b/net/bridge/br_sysfs_br.c @@ -679,6 +679,28 @@ static DEVICE_ATTR(nf_call_arptables, S_IRUGO | S_IWUSR, show_nf_call_arptables, store_nf_call_arptables); #endif +static ssize_t show_pae_forward(struct device *d, struct device_attribute *attr, + char *buf) +{ + struct net_bridge *br = to_bridge(d); + return sprintf(buf, "%d\n", br->pae_forward); +} + +static int set_pae_forward(struct net_bridge *br, unsigned long val) +{ + br->pae_forward = val ? true : false; + return 0; +} + +static ssize_t store_pae_forward(struct device *d, + struct device_attribute *attr, const char *buf, + size_t len) +{ + return store_bridge_parm(d, buf, len, set_pae_forward); +} +static DEVICE_ATTR(pae_forward, S_IRUGO | S_IWUSR, show_pae_forward, + store_pae_forward); + static struct attribute *bridge_attrs[] = { &dev_attr_forward_delay.attr,